Google Patches Buzz Security Hole

Google has fixed a cross-site scripting bug that allowed attackers to take control of Google Buzz accounts.

The bug affects the mobile version of Buzz and was reported on 16 February by SecTheory CEO Robert Hansen. Google patched the vulnerability the same day.

According to Hansen, news of the flaw was passed along to him by a hacker with the moniker of TrainReq.

“There [are] four things of note here,” Hansen blogged. “Firstly, it’s on Google’s domain, not some other domain like Google Gadgets or something. So, yes, it’s bad for phishing and for cookies. Secondly, it’s over SSL/TLS [Secure Sockets Layer/Transport Layer Security] (so no one should be able to see what’s going on, right?). Third, it could be used to hijack Google Buzz – as if anyone is using that product (or at least you shouldn’t be). And lastly, isn’t it ironic that Google is asking to know where I am on the very same page that’s being compromised?”

Hansen was referring to the location feature in Buzz that shows where Buzz users are when they post. This feature can be turned off by the user.

“We have no indication that the vulnerability was actively abused,” a Google spokesperson said. “We understand the importance of our users’ security, and we are committed to further improving the security of Google Buzz.”

In the week since Buzz was launched, Google has faced criticism over privacy issues associated with the service. On 16 February, the Electronic Privacy Information Center filed a complaint with the Federal Trade Commission that charged Google with failing to protect users’ privacy. In an interview with eWEEK, Google Vice President of Product Management Bradley Horowitz said the company did not expect the negative response that Google Buzz received on the privacy issue.

“While the outcome was not something I would have wished for or predicted, the remedies and response of the team [have] really indicated to me that we have a great core competency at Google in terms of being able to develop social software, to be in dialogue with our users and to rapidly iterate and improve the product,” Horowitz told eWEEK.